Security

This topic provides answers to some frequently asked questions on InformixHQ security.

Do I need to keep the initialAdminPassword in the properties file after the InformixHQ server is started for the first time? Isn't it a security issue to keep the password in plain text in the properties file?

The initialAdminPassword property is only required in the InformixHQ server properties file the first time it is started. When the server is started for the very first time, it initializes its internal H2 database and creates the initial admin user. For all subsequent starts of the InformixHQ server, the admin user will already exist and therefore the initialAdminPassword will be ignored if it is present in the properties file. This means that after the server is started for the first time, you can safely remove the initialAdminPassword property from the properties file. This allows you to avoid having that password continue to sit around in plain text in your properties file.

How can I configure HTTPS and/or SSL for InformixHQ?

To use the Secure Sockets Layer (SSL) protocol to encrypt communication with InformixHQ, you will need a keystore and certificate. You can use the method that best fits your environment for creating the keystore and certificate, for example Java keytool, OpenSSL, or even the IBM Global Security Kit (GSKit).

  • Configuring HTTPS in the InformixHQ server

    Once you have the keystore, secure the InformixHQ web user interface and REST API by configuring HTTPS in the InformixHQ server. To configure HTTPS in the InformixHQ server, in your InformixHQ server properties file, set the ifxhq_server_configuration.html#ifxhq_configuration__https, ssl.keystore.file, and ssl.keystore.password properties and potentially also the ssl.key.password property if your key password is different from the keystore password.

    Additionally, if you want to disable HTTP access to the InformixHQ so that all communication to and from the InformixHQ server uses HTTPS, set the httpPort to -1 in your properties file. If instead you would like the InformixHQ server to automatically redirect all HTTP traffic to the HTTPS port, set the redirectHTTPtoHTTPS property to true.

    Sample InformixHQ server properties file with HTTPS enabled:
    # The initialAdminPassword is only required the first time the InformixHQ server is started
initialAdminPassword=myAdminPassword

# configure ports
httpPort=-1
httpsPort=8088
redirectHTTPtoHTTPS=false

# configure keystore
ssl.keystore.file=/opt/informixhq/mykeystore.jks
ssl.keystore.password=myStorePassword
# uncomment the following line if a separate key password is required for your keystore
#ssl.key.password=myKeyPassword

  • Once you have HTTPS enabled in the InformixHQ server, you must configure your InformixHQ agents to encrypt their web socket communication with the InformixHQ server. If you use the Deploy Agent button in the UI to have the InformixHQ server automatically deploy the agent, it will automatically configure the agent to use SSL if the InformixHQ server has HTTPS enabled.

    If you are starting your agents manually to enable SSL, set the ssl.enable property to true in your agent configuration file and then set the ssl.keystore.file property, the ssl.keystore.password property.

    Sample agent configuration file with SSL enabled:
    # host and port of the InformixHQ server
server.host=localhost
server.port=8088

# The id of the Informix database server as defined in InformixHQ
informixServer.id=1

# SSL configuration
ssl.enable=true
ssl.keystore.file=/opt/informixhq/mykeystore.jks
ssl.keystore.password=myStorePassword

How can I encrpyt the internal H2 database that the InformixHQ server uses?

The InformixHQ server creates an H2 database to store its internal metadata. The H2 database file, h2db.mv.db will be created in the directory where you start the InformixHQ server. It will store information about the groups and servers you define in the tool (including the database server connection credentials), the monitoring and alerting profiles, and alerting incidents.

You can configure encryption for this H2 database file by setting the following properties in your InformixHQ server configuration file. 
h2.encrypt.enable=true
h2.encyrpt.password=some_password

Optionally, you can also set the h2.encrypt.algorithm property if you want to set the encryption algorithm to something other than AES.

Note: If you want to encrypt the H2 database, you must set these properties the first time you start the InformixHQ server when the H2 database is first created and initialized. You cannot change your H2 encryption configuration after the H2 database has been created. If you want to encrypt an H2 database that has already been created, you can use H2's ChangeFileEncryption tool as described in http://www.h2database.com/html/features.dital#file_encryption or you can delete your h2db.mv.db file and have the InformixHQ server recreate it from scratch the next time you start it.

How can I configure InformixHQ to use SSL when connecting to my database server?

If your database supports or requires SSL connections, you can setup SSL using the connection properties on the Add Server page when adding the server or on the server’s Setup page after it is created.

You must add the following connection properties in order to use SSL on InformixHQ’s JDBC connections to your database server:
SSLCONNECTION=true
SSL_TRUSTSTORE=/path/to/truststore
SSL_TRUSTSTORE_PASSWORD=password

The truststore/keystore file that you specify must be present both where InformixHQ server is running as well as the machine where the InformixHQ agent is running.

For more information, see Adding Severs and Groups.